Dominion Strategy Forum

Please login or register.

Login with username, password and session length

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - philosophyguy

Filter to certain boards:

Pages: [1] 2 3 ... 23
So, first let me say thank you for doing the commentary and seeking feedback to keep making it better. Having the commentary for things like the championship match adds a lot of value, and overall I really enjoy how it's happening. So, keep up the good work!

Bringing in the players is really hit or miss. With the last match, it dragged a bit (and it was pretty unbalanced between Mic and dudeabides for whatever reason, which was unfortunate because dude really should have gotten more mic time). In the past, it's worked well. I think when the players are talking, it works best as a cage match style, where instead of competing they are trying strategies together and so it feels entirely ok to get suggestions from each other, the chat, etc.

Adam, I think your skill level is up to where you can be the expert commentator. I do like having multiple folks at that level so the commentary can dig into some subtle issues, but right now you're doing well.

I agree that having a playtest or two of the boards would be really helpful, so the commentary can compare the play in the match to the baseline of the playtests.

While I can't speak to security, I can act as a liaison and share your thoughts with the developers. That was my intent: a bit of outreach as I knew it was a concern to some people here. Not sure about the consequent finger wagging and excoriations. Maybe I'm the most visible target, not sure, but I was hoping to take something constructive back.

If you want to take something back, here are a few questions for the developers. I think it's important for Making Fun to have satisfactory answers to these; what you share from those answers is up to you, but since you have a serious trust gap at the moment I would encourage you to be more forthright rather than less.

1. Why are plaintext passwords being written to a log file?

If the passwords were written as a debugging measure that was not supposed to remain in a public release,
2. Why was the decision made to use a method that contravenes best practices, even initially?
3. What failed in our process that this decision was NOT corrected before the public release?
4. Are there any other issues where we made a temporary decision that contravened best practices, and if so have we fixed those issues?
5. How do we know that our answer to #4 is correct? What process verifies that we didn't miss anything?

If it was not a temporary and then overlooked decision,
6. Who made that decision?
7. Is that person aware of security best practices regarding hashing passwords, etc.?
8. Why did that person decide to not follow the best practice in this case?
9. Did that person perform a risk-benefit assessment for the deviation from best practices? What were the conclusions? Was anyone else with security expertise consulted (internally or externally) to check those conclusions?
10. Are there any other issues in which best practices were not known, ignored, or intentionally deviated from? What are they? How confident are you that there are no unknown deviations?

I agree that it can be done better.  Chrome has changed its practices too.  But the point remains that locally logging plaintext passwords, while dubious and probably unnecessary, is not a security catastrophe.

At some point I'll stop beating on this horse, but I really think this is a fundamental issue. Security is hard. Lots of seemingly innocent decisions can create an attack surface that is surprisingly large. When it comes to passwords, the best practice is to always encrypt them. Now, if there's a compelling reason to deviate from the best practice, I'm willing to listen, but that's not what I'm seeing. What I'm seeing is a company that doesn't recognize that they aren't following the best practice and seems pretty lackadaisical about it.

If you're going to deviate from a best practice, that's the worst attitude you could have. I want an organization that is hyper aware of the fact that they are deviating, and what the consequences of that are, and that inspires confidence that they have done a competent risk-benefit analysis. Nothing about this situation meets those criteria.

In isolation, this issue might not be as severe as I'm treating it, although I think it is. What is undoubtedly severe, however, is that Making Fun is not demonstrating a professional level of concern for security. There's a lot of things that we need to take on trust when it comes to online service providers protecting our credentials, credit card info, etc. Making Fun is starting from a trust deficit, and their actions--both in terms of their coding and in terms of their response when this issue was raised--are not making that deficit any smaller.

Storing passwords in plain text is not secure. You can wave your hands at it as much as you want and say it's not a big deal, but now you just look silly waving your hands and saying wrong things. It's not hard to change this, why isn't it being changed? Ugh.

I want to emphasize Adam's point here. Security is really tough, and there are a lot of subtle ways that applications can have security holes. Never storing plain-text passwords is arguably the most uncontroversial, fundamental, and non-negotiable security best practice. If Making Fun's attitude towards passwords is "meh, not a real issue," then I have very little trust that you are taking security seriously on other issues that I am not smart enough, or deep enough in the code base, to find. Frankly, this attitude is the kind of cowboy coding I expect out of high school kids. It's beyond unacceptable for professionals. If computer programming were a licensed activity, this is the kind of thing that would get your license pulled by the accrediting organization. It really is that bad, and if you don't understand why, then you need to hire a security consultant yesterday in order to make sure your code is safe.

I don't see the plaintext password fix in there. Can anyone comment on whether that's been fixed?

Goko Dominion Online / Re: Features Thread
« on: April 21, 2015, 07:58:28 am »
I don't think I've seen this request yet, which may mean it's not incredibly important to the community. But…

One thing I dislike about the current implementation is that, when cards are trashed, there's nothing in the play area reminding you that the card was played. For some cards, like Feast, it's not as big a deal, but when you get into crazy Procession chains or have Knights giving you +whatevers and then getting killed off, it can be confusing to see the play area because it's hard to figure out what happened.

Obviously the log partially solves this problem, and you face the same issue in real life (although I find that it's much easier to keep up with what people do IRL). But I think it would help to have some way of showing how those cards were played, like a ghosted/semi-transparent version of the card remaining in the play area. For really complex chains of actions and for understanding what happens at the start of the turn with durations, it would improve the experience.

Other Games / Re: Any Go players?
« on: August 08, 2013, 03:56:25 pm »
Just started learning. I'm awed by my sheer ineptitude.

I keep getting in the 180-190 range. It's sad which cards I miss: this time I forgot Rats and Sea Hag, last time it was Ambassador and Pirate Ship. You'd think some of these iconic cards would be easy to remember.

But, I am consistently getting all the Knights.

Best sets: Alchemy, Promo, Guilds, and Prosperity. Worst: Intrigue, Hinterlands.

Rules Questions / Forager and Possession
« on: August 01, 2013, 01:03:00 pm »
Assume that there are no treasures in the trash yet.

If I possess my opponent and then on the possession turn force my opponent to trash a Copper with Forager, does the Forager give +$0 or +$1? I think +$0 because the trashed Copper doesn't go to the trash pile, but I wanted to check.

181. It's amazing how easy it is to overlook cards that you know.

I've seen elimination rounds conducted in the way Stef proposes--it's been called a challenge tournament in debate circles. It's a ton of fun and makes for some interesting drama, especially when people propose grudge matches. On the other hand, I don't see the need to do so in order to make the elimination rounds more fair. No bracketing system is perfect, but Kirian's is pretty good and a player seeded below their natural rank is just part of the fun (see: March Madness in NCAA men's basketball).

So, if Kirian wants to do a challenge in the future, I'd enjoy seeing it. But it's not the solution to a problem, because I don't see the problem as being significant enough to be worth "solving."

GokoDom / Re: FAQ needs update
« on: July 23, 2013, 09:22:03 am »
For the future, it might be helpful to just put the games of the seasons. That way, it's easy to figure out if the current season has started already, if you're in signups, whatever, and someone can easily get a sense for how frequently seasons occur.

I think all of the components were important for me to get into Dominion. Part of what made the base game magical was that there were so many different ways the game could play: rush for Gardens, curse your opponent to death, BM-draw, Chapel into a thin deck, etc. Even pieces like +Buy, which were woefully underrated, still were useful in "Province or Duchy-Estate?" decisions.

If the base game hadn't had all of these possibilities, I wouldn't have been confident that there was more to explore and I would have questioned whether an expansion would be worth it. And that, more than anything else, would have killed Dominion for me.

Dominion General Discussion / Re: Pet tricks you haven't tried yet
« on: July 10, 2013, 06:38:44 pm »
That seems a little contrived for Goons.  Doesn't ending on piles almost happen naturally when you're going Goons?  Or is it that you can end that last pile in one go without having the junk propagate through shuffles?

Embargoing Curses means you get multiple curses with a single buy. That can dramatically reduce the number of gains necessary to end the game. In a Goons game, being able to control the endgame timing is massive.

Guilds Previews / What else *should* Guilds have included?
« on: July 10, 2013, 09:23:09 am »
I've seen a bunch of folks post in other threads that there's more Guilds could have done with the set mechanic and that Guilds should have been a full set. I'm not convinced yet. What else would you like to do with coin tokens or overpaying?

Dominion Articles / Re: Candlestick Maker/Plaza + Double Tactician
« on: July 08, 2013, 04:00:24 pm »
Not sure about Plaza (might help with terminal silvers on the board) and how it helps more than Baker[…]

Well, in both cases you're getting +1 Action, +1 Card. Baker gives you a coin token for free; Plaza lets you discard a treasure card for a coin token. Since you were going to be discarding the treasures with Tactician anyway, it's not really a loss. Yes, it reduces your handsize, but that's negligible since you're starting with 10 cards. So, Plaza is all but superior since it also allows you to play terminal silvers or terminal draw.

Guilds Previews / Re: Baker and game lenght
« on: July 08, 2013, 01:37:20 pm »
Asking if buying baker will speed the game up seems like asking for tautological answers like "buying Baker will speed the game up in situations where Baker is a good card to buy". Of course for the majority of cards "a good card to buy" is by definition one that speeds the game up. Dominion is a race. If the things you are doing don't get you to the finish line first you should be doing something else.

Yes but not quite. Remember that slogs are very common games as well. Many power cards in fact push the game towards having a slower tempo (junking attacks being the obvious example).

Baker is interesting because it speeds up the game in most deck types: engine, BM, and slog. (Not so much combo decks, unless there's a new combo I missed.) The money smoothing is really useful in BM and slogs, and the delayable coin is really useful in engines for the endgame.

Goko Dominion Online / Re: Ratings Protection: A Question
« on: July 07, 2013, 10:27:21 am »
I don't think it's an issue.

1) In order to even get to the 5500+ level, you need to have played a lot of games and won very consistently against some tough competition. So, the folks who are playing in these 5500+ games are very good.

2) I'm almost laughing imagining what would happen if the guy who plays tennis at the local park on Sundays challenged someone like Nadal. I don't think Nadal would have a problem declining the match, and I don't think anyone would look down on him for doing some. Same for a 9-dan Go player, or a chess GM, or an Olympic sprinter. About the only exception I can think of would be a poker pro, because he or she is likely to turn the am into an ATM machine.

3) I'm even more ok because of the harshness of Goko's rating algorithm. It's extremely unforgiving for a game with as much chance as we have.

Goko Dominion Online / Re: Automatch development thread
« on: July 02, 2013, 03:14:58 pm »
What about further piggybacking solely on embedding metadata into the "title" of the game?

This would be limited to a single room, but the script could automatically switch from room to room after an interval with a failed match.

I think the room switching limitation is a bigger issue than it seems at first. Not only do you have to wait until you AND a match are in the same room, but you have the problem of potential automatch partners (who are also running the script) moving through rooms while you are as well, which makes ending up in the same room at the same time even less likely.

But, from a bigger picture perspective, there's not a good reason to limit automatch to a single room. We're having to be creative because of Goko's awful lobby system, but an outside server is a relatively easy way to overcome that limitation. We're already doing that with the script prettifier, with councilroom, with the custom avatars. I think automatch is significant enough of a feature to warrant the external server—certainly more than custom avatars.

Dominion General Discussion / Re: WW's Power Rankings
« on: July 02, 2013, 03:09:37 pm »
Hey, WanderingWinder. Is it just me, or do I remember a time when you were sort of the star non-engine player of the site? If there's one thing these rankings are telling me, it's that if a card isn't good for an engine, it's pretty much garbage in your eyes.

I've watched almost every video WW has posted on YouTube over the years, and the thing that jumps out at me—to an almost comical degree—is how much of an engine player he's become over the last year. Like, he now finds engines in places that previously only folks like Marin or Stef could pull it off. It's not that he's less skilled at money or alt-VP games. It's that his engine building has gotten that much better.

Goko Dominion Online / Re: Automatch development thread
« on: July 02, 2013, 02:27:14 pm »
How much effort would it be to create the ability to have a personal blacklist of automatch partners?

Also, iso had the issue where someone would sign up for automatch but then would time out on accepting the game, and it took 3 or 4 timeouts before you were paired with someone else. If someone doesn't respond to an automatch request (so not clicking "no," but actually timing out), they should be removed from the queue.

Goko Dominion Online / Re: Automatch development thread
« on: July 02, 2013, 02:18:36 pm »
Upvoting the idea for a rating range relative to you as well as a rating floor. Because of the variability of Goko ratings, though, I think that range will have to be kind of broad.

How would ranking and kingdom selection work? I'd suggest defaulting to a pro game, but it might be nice to include options for an unranked or casual game. I'm okay with not allowing a preset kingdom in automatch (I promise I learned something from the Paralyzed experience!).

Dominion General Discussion / Re: Dominion School: Basic Knowledge
« on: June 25, 2013, 06:07:25 pm »
I love this idea. One thing that would be great to include for each strategy would be a baseline tempo: average time to 4 Provinces (or half VP, or pile out, depending on the strategy). Many midlevel players recognize the strategies but don't know how they perform relative to each other.

Guilds Previews / Masterpiece or Gold?
« on: June 19, 2013, 04:36:29 pm »
The question of whether to go for Masterpiece or Gold will obviously depend on the board, but here's a first approximation using a simple test: which gives your deck a better average card value? Remember that Province games need to hit $1.6/card and $5 rushes or slogs need $1/card.

From crunching the numbers, I have a couple of general observations. First, bigger decks prefer Masterpiece+overpay, since the impact of adding additional cards is smaller. Second, decks with a low total coin value prefer Masterpiece as well, since each additional Silver adds to the deck's coin total.

The threshold depends on both of these things. The actual math is not the kind of stuff you'd want to use in a real game, but we'll build an approximation from it. The formula: If 3*money in deck (prior to purchase) + 5 < 4*cards in deck (prior to purchase), buy Masterpiece.

The more realistic version: when the money:card ratio exceeds 5:4, prefer Gold. So, a 12 card deck with 15 or more coin should lean Gold, less than 15, Masterpiece.

Add IGG and Silk Roads. Rush and alt-VP!

Pages: [1] 2 3 ... 23

Page created in 0.072 seconds with 18 queries.